Smart Grids Need to be Updated, Rebuilt With Security to Reduce Vulnerabilities

Smart grids were not designed with security in mind, making the entire infrastructure highly vulnerable, McAfee said in a recent report.

Outdated systems, lack of automation, and the proliferation of interconnected embedded systems are some of the reasons why legacy smart grids are vulnerable to cyber-attacks, McAfee wrote in its Getting Smarter About Smart Grid Cybertheats report, released Wednesday. Attacks include espionage and sabotage, and defending against them is a challenge because attempts come from different sources. Utilities have to protect themselves from organized criminal enterprises, commercial competitors, and governments, all with disparate tools and goals, McAfee said.

Extortion is also a prevalent threat to the global energy sector, as criminals break into utilities and demand a ransom in exchange for not causing any damage. The ransom amounts are in hundreds of millions of dollars, according to McAfee. One in four power companies globally said they had been victims of extortion, McAfee said. In some countries, extortion attempts are even higher, hitting 80 percent in Mexico and 60 percent in India.

“We need to better understand the threat landscape, whether it’s international, domestic, external, or even posed by insiders,” Philip Craig, a researcher in the Department of Energy's Pacific Northwest National Laboratory, said in the McAfee report.

Energy systems have been historically separated into three distinct domains, McAfee said. Industrial control systems run heavy-duty equipment, system control and data acquisition (SCADA) systems allow administrators to monitor ICS systems, and the internal IT network contain the databases and applications the employees need to get their work done. In recent years, these domains have become interconnected, making it possible to transfer data across systems. While this improved efficiency and provided more useful intelligence, it also increased the system's overall vulnerability, McAfee said.

"Bridging the air gaps between IT, SCADA, and ICS meant that an intruder could gain access to all three domains simply by entering any one of those," McAfee wrote in the report.

The "most alarming cause of vulnerability" is tied to the increasing popularity of off-the-shelf embedded systems, McAfee said. While each of these systems perform a single function, many of them use off-the-shelf software and are essentially generic. Criminals can analyze one system and be able to gain control of other systems and disrupt processes.

The industry is interested in automation to take care of repetitive tasks and free up employees to work on other things. Connecting the systems to the Internet allowed administrator to work remotely and to collect real-time information. However, as many of the older systems were connected to the Internet without using encryption, the systems were exposed to the outside world.

"Security needs to be built into grid components at the planning and design phase," said Tom Moore, vice-president of embedded security at McAfee.

No one intentionally set out to build a bad smart grid, but the current energy infrastructure has all three elements that make a "perfectly bad system" that could have "catastrophic consequences," Jason Healey, director of the cyberstatecraft initiative at the Atlantic Council, said in the report.

"First, it would all be interconnected, so that failure in any one area would affect all others. Second, it would connect real things made of concrete and steel, not just silicon, so that failure would cause real physical damage—fires or explosions. And third, we’d connect it to the Internet, knowing that intruders could get into it because they’ve already tried and succeeded," Healey said.

McAfee estimated that 70 percent of the existing energy grid is more than 30 years old. Updating components and integrating with newer systems have been a challenge and "security has largely been an afterthought," McAfee wrote in the report.

Cyber-criminals could debilitate a major city by targeting the energy grid and compromise lights and appliances in residents, life-saving equipment in hospitals, and impacting air defense systems, according to McAfee.

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.